Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Access to the flow's SYN and SYN-ACK packet

From: ndritsos <ndritsos () gmail com>
Date: Wed, 02 Nov 2011 13:04:38 +0200
hello everyone ,

i need some info about that :


Client  -------Syn------>    server
Client <-----Syn-Ack ---   Server
Client -----Ack--------->    Server
Client ----PSH-- Data="evil"--> Server

my snort rule catch the packet that content "evil"

and on the function

static int drx_eval(void * P){
SFSnortPacket  *mysfsPacket = (SFSsnortPacket *) P;
....
...
etc etc

//QUESTION:
//  so here i have full access to the  packet that content the data "evil"

// in this point , i want to have access  to the  handshaking packet of
this flow,
// i want to extract some info from  the first SYN and  SYN-ACK packet
// especially i want the field Options --> Window Scale  from the SYN
and SYN-ACK packets
// someone can help me how to have access on that  fields at the time
that snort catch the packet
//that content the data "evil".
 
//is there  any field on the struct SFSnortPacket that provide this info???
  


}


thank you in advance

------------------------------------------------------------------------------
RSA&#174; Conference 2012
Save $700 by Nov 18
Register now&#33;
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: